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Abstract: An adaptive cruise control (ACC) system maintains the vehicle at the given target 
speed when there is no leading vehicle in the sensor range. On the other hand, in the presence 
of a leading vehicle, the system maintains a safe distance between the vehicles while driving 
as close as possible to the target speed. For such an automated system, besides meeting safety 
requirements, it is also important to provide a comfortable drive. In this paper, we develop 
a formal model for adaptive cruise control system based on timed automata and express 
specifications in temporal logics. The proposed model supports different acceleration levels. 
Parametric constraints govern the transitions to the states associated with acceleration levels. 
The proposed parameter optimization methods generate parameter valuations for particular 
driving styles while guaranteeing safety and the specifications over the target speed. Therefore, 
the resulting system is guaranteed to satisfy the requirements while the driver comfort is 


optimized. The models and the synthesis approach are illustrated with examples. 
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1. INTRODUCTION 


A cruise control system is a driver assistance system 
that aims at making the driving more comfortable and 
convenient for the driver. The only functionality provided 
by a conventional cruise control system is keeping the 
vehicle at a preset target speed, which is determined 
by the driver. An adaptive cruise control (ACC) system 
extends the conventional cruise control systems with the 
ability to follow a leading vehicle in the same lane at 
a safe distance. When there is no leading vehicle within 
the sensory range, the ACC system maintains the vehicle 
at the target speed (SAE J2399, 2014). However, when 
there is a leading vehicle within the sensor range, ACC 
system adjusts the speed by accelerating or decelerating 
(negative acceleration) and follows the leading vehicle at a 
safe distance unless the leading vehicle accelerates beyond 
the target speed, in which case the system only accelerates 
up to the target speed. Two cars driving on the same lane 
illustrating the ACC problem is shown in Fig. 1. 
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Fig. 1. Two vehicles with speed v, vl and distance d. 


While the cruise control systems are considered driver 
assistance systems, which implies that the system’s oper- 
ation will be supervised by the human driver at all times, 
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safety is still of paramount importance. Therefore, the 
correctness of such automated systems should be guaran- 
teed. This paper presents a formal methods approach to 
generate ACC systems based on timed automata. 


Timed automata (TA) is a formalism for modeling real- 
time systems. A timed automaton can simply be viewed 
as a finite automaton extended with a set of real-time 
variables, called clocks, which capture the time (Alur, 
2015). The clocks enrich the semantics and the constraints 
on the clocks restrict the behavior of the automaton. An 
established approach to verifying correctness of TA models 
is model checking, where the specifications are expressed 
in a formal language and efficient algorithms are used 
to check if the model satisfies the given specification. In 
a TA, the clock constraints are defined as inequalities, 
e.g., £ < 5 for clock x. A TA is called parametric when 
parameters are used in place of constants, e.g., © < p. 
For a parametric TA, the goal of the parameter synthesis 
problem is to find the set of all parameter valuations 
such that when the parameters are replaced with the 
corresponding valuations the resulting TA satisfies the 
given specification. In general, the parameter synthesis 
problem is undecidable (Beneš et al., 2015; Étienne, 2019). 
However, the integer valued parameter synthesis problem 
from a bounded search space is decidable (Beneš et al., 
2015). In addition, efficient parameter synthesis methods 
based on monotonicity properties exist for specific classes 
of TA such as L/U automata (Hune et al., 2002). 


In this paper, the ACC system, the leading vehicle and the 
distance between the vehicles are modeled as timed au- 
tomata (TA). For the ACC system, the automaton states 
represent the acceleration levels. Parametric constraints 
are defined to govern the transitions between the accelera- 
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tion modes. The leading vehicle has a similar model but it 
changes its state (acceleration level), thus its speed, non- 
deterministically. Finally, the distance automaton synchro- 
nizes these TAs and models the distance between the 
vehicles with respect to their speeds. The system speci- 
fications including the safety requirements are expressed 
formally in Computation Tree Logic (CTL). For example, 
the safety requirement is formulated as VO(d > dmin), i.e., 
the distance should be greater than the minimum safety 
distance dmin at all times. The specification over the target 
speed is defined as 3o (v = Vtarget), i.e., the target speed 
can be reached. 


The ACC design problem is studied extensively in control 
and traffic communities (Jing Zhou and Huei Peng, 2005; 
Nilsson et al., 2016; Xiao and Belta, 2019; Magdici and 
Althoff, 2017). In earlier works, the control architecture 
and low level controller design are studied (Jing Zhou 
and Huei Peng, 2005). Considering the critical nature of 
the problem, recent works focus on designing correct by 
construction systems. Nilsson et al. (2016) designs ACC 
system from formal specifications via fixed point compu- 
tations. Whereas, Xiao and Belta (2019) employs control 
barrier functions for ACC design. In these works, the vehi- 
cle is modeled as a lumped point mass and the force to be 
applied is computed. As in this paper, Larsen et al. (2015) 
presents a TA model for ACC design, where the controller 
output is the acceleration level. The TA from (Larsen 
et al., 2015) has a single acceleration and a single decel- 
eration level. The transitions are non-deterministic and 
a feedback control automaton is synthesized to guarantee 
safety. Whereas, in this work, a parametric TA is generated 
for any given number of acceleration levels. Then the 
parameters of the TA are synthesized in an automated 
way such that the resulting TA is guaranteed to satisfy 
the specifications while the driver comfort is optimized. 
Furthermore, even though the parametric TA does not 
belong to L/U class, it is shown that the parameters are 
monotonic and this property is used to synthesize optimal 
parameters in an efficient way. 


2. ADAPTIVE CRUISE CONTROL PROBLEM 
2.1 System Description 


A vehicle is modeled with discrete time motion dynamics: 

Uk+1 = Uk + Gz, an E U (1) 
where, at time step k, vz is the speed and ax is the 
acceleration (or deceleration for a, < 0) that takes values 
from a finite set U with 0 € U. The speed limits are 
denoted by Vmin and Umaz- 


The vehicles are equipped with a distance sensor. The 
sensor can detect the relative position of a leading vehicle 
when it is in the sensor range, which is denoted by drange- 
The target speed set by the driver is denoted by vjarget € 
[Umin, Umax]. In the considered setup, the ACC system 
knows its own speed vz, receives the measured distance 
d € [0, drange] of the leading vehicle if there is one from 
the sensor system, and then sets the acceleration level ax. 
The leading vehicle have the same dynamics (e.g. the same 
acceleration levels). However, its acceleration, speed and 
control logic are unknown to the controlled vehicle. There 
are two cases in which a new vehicle enters to the sensor 


range. First, a vehicle driving on the same lane enters the 
range at drange, €-g. a Slower vehicle appears in the front. 
Second, a vehicle can enter via a lane switch at a distance 
d € (diane, drange], Where diane denotes the minimum lane 
switch distance under normal driving conditions. The 
second case is only allowed when there is no other leading 
vehicle to avoid too close manoeuvres. 


2.2 Specifications 


The first specification is the crash avoidance. A safe 
distance, dmin, between the controlled and the leading 
vehicles should be maintained, i.e, 


Safety: d> dmin at all times 


Second, the vehicle should reach the target speed when it 
is safe. 


TargetSpeed: reach Vtarget when safe. 


Finally, the ACC system should keep the speed within the 
limits, i.e., 


SpeedLimits : Vmin < Vtarget at all times 


For the driver comfort, frequent accelerations and deceler- 
ations should be avoided and the vehicle should maintain 
its speed at the target when it is safe (e.g. no oscillation 
around Vtarget )- In addition, sharp decelerations should be 
avoided unless it is necessary. 


Problem: Given system (1), design an ACC that satisfies 
the specifications while optimizing the driver comfort. 


2.3 Example System 


The parameters of an example system are defined as 
follows. The speed limits are Vmin = 10m/s and Umax = 
30m/s. The acceleration levels are U = {—2, —1,0, 1}. The 
target speed is Vtarget = 20m/s which can be changed 
by the driver. The sensor range is drange = 150m. The 
minimum allowed lane change distance is diane = 100m. 
The safety distance is 15m (e.g. half of the maximum 
distance traveled in a second). 


3. TIMED AUTOMATA MODELS FOR ACC 


In this section, we describe the developed TA models and 
their formal specifications for the adaptive cruise control 
problem ?. For detailed information on TA and temporal 
logics, we refer the interested reader to Alur (2015). The 
overall model consists of three timed automata. The first 
automaton shown in Fig. 2 models the distance measured 
by the controlled vehicle and synchronizes the TA network. 
The second (Fig. 3) and the third (Fig. 4) automata 
model the speed of the controlled and the lead vehicles, 
respectively. 


1 Other systems such as the emergency brake system should be 
active when this assumption is violated. 

2 The TA extensions implemented in UPPAAL such as committed 
locations and integer variables are used in the models (UPP, 2005). 


1945 


Preprints of the 21st IFAC World Congress (Virtual) 
Berlin, Germany, July 12-17, 2020 


3.1 The Distance Automaton 


The distance automaton can be seen in Fig. 2. It has the 
initial location wait and five committed locations marked 
with “c”. Time can not pass in a committed location. In 
other words, when it is reached, the next transition must 
be from there. Thus, in distance TA, time can only pass at 
location wait and the transitions through other locations 
are all instantaneous. 


tmp:int[dlane,drange] 


cruise d=tmp 
wake_controlled! new_lead! 
ake_lead! 

wait 

x <=1 O lead noLead 
js == 
tsb d != drange d drange 
eat range 


d =d + (vl - v) > drange ? drange : 
((d + (vl -v))> 0? d + (vl - v): 0) 


update 


Fig. 2. Distance TA: Synchronizes the network and up- 
dates the distance. 


The TA has a single clock named z, it is reset on the 
transition leaving wait. wait has invariant x < 1 and x 
should be 1 to take the transition. Hence, at every second, 
TA leaves wait and makes a loop through either lead or 
noLead. First, it goes to update when x is 1 and resets 
the clock. Then, it goes to range and updates the distance 
between the lead and the controlled vehicles with respect 
to their speeds v and vl that are modeled by the control 
TA and the lead TA, respectively. Note that the distance, 
d, is set to drange when the computation returns a higher 
value to mimic the sensor range. Then, it goes to lead 
or noLead with respect to the computed d to model the 
constraint that a lane switch can only occur when there 
is no leading vehicle. In the lane switch case, new_lead 
signal is sent to the lead TA and the distance is set to a 
random value in [dlane, drange] modeling the restrictions 
from Sec. 2.1. If there is a leading vehicle, wake_lead signal 
is sent to the lead TA. After that, it goes to cruise location, 
and then finalizes the loop by going to the wait with 
wake_controlled signal sent to the control TA. Control and 
lead TAs compute their speeds only when they receive a 
signal from the distance TA. 


3.2 The Cruise Control Automaton 


First, the control automaton for the example defined in 
Sec. 2.3 is described, and then a method to construct a 
control TA for any number of deceleration levels is defined. 


The example system has two deceleration levels and a 
single acceleration level. The corresponding control TA is 
shown in Fig. 3. The TA is composed of an initial location 
called wait and four committed locations: decide and a 
location for each level lọ, l1, and Ig. It does not have a 
local clock. It only leaves wait and goes to decide when it 
receives wake_controlled signal from the distance automa- 
ton. Then it goes to one of the acceleration locations lo, 
l, and l2 or to wait based on the measured distance d 
(computed in distance TA) and its current speed v. 


d < d1 && v < v2l 


v =v + acc >= vtarget? vtarget : v + accY d1 <= d && d < d0 && v < vil 


decide 
wake_controlled? 


Wan dl <= d && d < d0 && vlu <= v 


: A I1 
v=v+al <= vmin? vmin:v+al 


d1 <= d &&d < d0 && vil <=v && v < vlu 


d < d1 && v2u <=v 


R F 12 
v=vt+a2 <=vmin? vmin:v + a2 


(d < d1) && (v21 <= v) && (v < v2u) 


Fig. 3. Control TA: Implements the cruise control schema. 


We present the control TA construction method for any 
number of acceleration levels. Let U = {a0,0,a1..., am} 
be the acceleration levels given in decreasing order, i.e., 
ai > aj41 for i =1,...,m—1 (single positive acceleration 
level ag). The control automaton is constructed with 2+m 
locations and 1+4m transitions. In particular, in addition 
to the wait and decide locations and the wake transition 
from wait to decide, 1 new location and 4 new transitions 
are introduced for each level except 0 € U. Note that the 
only positive acceleration level is ao. For a9, committed 
location lọ, a transition from decide to lọ with guard 
do < d, and a transition from lo to wait with the following 
update rule are added to the model: 


oe v + ag if v + ao < Vtarget 
Vtarget Otherwise 


For each a; € U\{0, ao}, the following steps are performed 
to construct the parametric TA: 


e add committed location l; 
e add a transition from decide to l; with guard (slow 
down with a;) 
d; < d && d< di—ı && vs <v 
e add a transition from decide to wait with guard (keep 
the speed constant at v) 


di < d && d< di-ı1 && vl < v &&v < vi 
e add a transition from decide to lo with guard (increase 
the speed) 
di<d&&d<dj_1 && v < v 
e add a transition from l; to wait with update rule: 
_ Jv +ai ifv ++ ai > Vmin 
a pr otherwise 


The lower bound vl and the upper bound v¥ partitions 
[Umin; Vtarget| into three regions: [umin; vt), [v}, v¥) and 
[vj', Vtarget]|- Consider the case when d € [d;,d;_1). The 
vehicle accelerates if v € [Umin, v!) (transition to lo), keeps 
its speed constant if v € [v!,v") (transition to wait), and 
decelerates if v € [v7 , Viarget] (transition to l;). 


The distance bounds dg, d,,...,dm—1, and the velocity 
bounds v}, vi/,...,v!,,v!, are the parameters of the TA 


I mI” m 
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that needs to be set. Whereas, Umin, Umax; 40,- - -, €m and 
Vtarget are initialized with respect to the considered sys- 
tem. Note that the guard definitions (transition con- 
straints) guarantee that for any parameter assignment 
satisfying the ordering defined in (2) and (3), the resulting 
control TA will be deterministic since the the constraints 
(guards) on the transitions leaving decide are mutually ex- 
clusive, and a unique transition leaves every other location. 
(4) is imposed to form an ordering in the velocity bounds 
for different distance intervals. 


di+1 < di, for i = 0,...,m— 1 (2) 
vi < u” fori=1,...,m (3) 
vl <ul outa Sot for i = 1,...,m— 1 (4) 


3.3 The Leading Vehicle Automaton 


The TA modeling the leading vehicle is shown in Fig. 4. 
It has three locations: the initial location wait and two 
committed locations decide and lane_switch. When it 
receives the wake_lead signal from the distance TA, it 
randomly accelerates, decelerates (within the speed limits) 
or maintains its speed and goes back to wait through 
decide. If it receives new_lead signal, it sets its speed to a 
value from [vmin, vmaz] randomly through lane_switch 
mimicking a vehicle switching to the same lane as the 
controlled vehicle. 


In general, each u € U is represented through a transition 
from decide to wait with the corresponding speed update, 
e.g. uy = vy +u. There is no guard defined over these tran- 
sitions, thus one of them is picked non-deterministically to 
model the uncertainty over the lead vehicle’s behavior. 


vl = (vl + acc >= vmax) ? vmax : vl + acc 


tmp:int[vmin,vmax] 
vl=tmp 


Fig. 4. Lead TA: Models the leading vehicle. 


The following parameters of the TA models are initialized 
with respect to the considered system: 


dranges diane; Utarget, Vmin, Umax, 40; A1,- - -Am 
Whereas, the distance thresholds do,d1,...,dm—1 and 
the velocity thresholds vt, v¥,...,vl,, vl, from the control 


automaton should be defined. Our goal is to find these 
parameters such that the resulting system optimizes the 
driver comfort and satisfies the specifications which are 
formalized in the next section. 


3.4 Formal Specifications 


The specifications are expressed in Computation Tree 
Logic (CTL). The ACC specifications given in Sec. 2.2 
are described by the following formula 


acce = Psafe A Diarget A ® deadlock A Plimits (5) 
safe encodes the safety property, it requires that d >= 
dmin is always true: 

D.afe =V 


d >= dinin (6) 


®rarget encodes the liveness property, it indicates that it 
should be possible to reach the target speed: 


oUVU= Vtarget (7) 


Drarget = 


®iimits encodes the restrictions over the speed: 
Plimits =y (Unin SvAvs Unies) (8) 


Finally, the last one ®geadiock is a commonly used formula 
to check the modeling errors. It ensures that the system 
does not stuck at a state, thus a deadlock does not occur: 


not deadlock (9) 


® deadlock =V 


4. PARAMETER SYNTHESIS 


The proposed TA models and formal specifications reduce 
the ACC design problem from Sec. 2 into a parameter 
synthesis problem for timed automata. While the search 
space is bounded, the TA does not belong to the L/U class 
since parameters are used as both upper and lower bounds, 
e.g, see dı. In this section, we first define the solution space 
and enumerate each element in it, which leads to a greedy 
solution. Then, we define optimization criteria to improve 
the driver comfort. Finally, we present an efficient iterative 
heuristic approach to find the optimal parameters. 


The search space for the parameter synthesis problem is 
defined in (10), i.e., the product of the search spaces over 
the distance thresholds and the speed thresholds satisfying 
the ordering constraints. 


S = {(d,v) = ((do,...,dm-1), (viv, ee vl, vl, )) | 
(10) 
di € {dmin, dmin + 1... , drange} for each i € {0,..., m}, 
vi,ut € {umin,..- ,Utarget} for each i € {0,...,m}, 
(d, v) satisfies (2) and (3)} (11) 


Note that the parameters are bounded and takes integer 
values, thus the search space is finite 3 . In particular, the 
cardinality of S is 


| s |= ~ E = a — Umin +M + i (12) 
m 2m 
where ie ) denotes the number of k-combinations of a 


set with N elements. As (d,v) € S satisfies the ordering 
constraint, the corresponding control TA (e.g see Fig. 3) 
is deterministic. However, it might not satisfy the specifi- 
cation formula ®acc (5). The following greedy synthesis 
approach finds the set of parameter valuations Sat C 
S satisfying the specification. Let T denote the overall 
parametric timed automata model (i.e. consists of three 
automata), and for a given parameter valuation (d, v), let 
T(d,v) denote the TA initialized with parameters (d, v). 


GreedyApproach: 
Initialize Sat = 0) 
For each (d, v) € S, 
- Model check the T(d, v) against ®4cc 
If satisfied, add (d, v) to Sat 


As stated in Sec. 2.2, the objective is to choose the 
parameter valuation among Sat that optimizes the driver 
comfort. The driving experience can be improved by (1) 


3 This is a limitation imposed by UPPAAL. It can be mitigated via 
scaling. 
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avoiding frequent switches between acceleration levels, 
(2) maintaining the target speed as much as possible 
and (3) avoiding sharp decelerations. Due to the non- 
deterministic nature of the overall TA model because of 
the lead vehicle, a worst case scenario optimization can be 
performed. However, the listed criteria conflicts with each 
other. For example, increasing do reduces the time driven 
at the target speed (thus conflicts with (2)) and decreases 
the time spent in a lower deceleration level (improves 
(3)). A possible approach is to optimize the weighted 
sum of these criteria. Note that the greedy approach is 
guaranteed to find the optimal solution for any given 
optimization function. However, it is computationally very 
expensive. Next, we present an iterative approach that 
uses the monotonicity of the parameters to iteratively 
optimize each parameter in an efficient way. The variations 
in the parameter optimization step generate strategies 
optimizing different criteria. 


Analysis of arget (7): The model construction guaran- 
tees that do < drange and the transition to the ag location 
(acceleration) is taken whenever d > drange. Thus, for any 
(d,v) € S, T(d, v) satisfies target- 


Analysis of ®imits (8): The update rules for the speed in 
control TA guarantees that v € [Umin, Vtarget] at all times. 


Analysis of ®geadiock (9): The property is satisfied when 
each state of the timed transition system generated from 
the TA has a successor state (Alur, 2015). Due to the 
ordering property of the constraint thresholds (10), for any 
(d,v) € S, T(d, v) satisfies ®yeadtock- 


Thus, the goal is to find a parameter valuation (d, v) € S 
satisfying safe while optimizing the driver comfort. The 
proposed approach starts from the most strict parameter 
valuation (d*,v*) defined in (13). 


(df, vë) € S where (13) 
d° = (drange, drange — 1,- - . , drange — M +1) 
vë = (vl vë, ... ul, vh) with 

v! = Vmin, and v7 = Umin + 1 for each i (14) 


The parameter valuation (13) is strict in the sense that it 
generates the most aggressively decelerating policy from 
S. In particular, when d < drange, it decelerates with the 
lowest possible a € U allowed by the ordering constraints. 
Furthermore, due to the vê definition, from decide loca- 
tion, only the transitions to the locations associated with 
deceleration (l;, i > 0) can be taken when d < drange and 
V Æ Vmin. The proposed approach iteratively relaxes the 
thresholds from (d°, vê) by using the monotonicity of the 
parameters, which is defined next. 


Monotonicity for the distance parameters: Consider 
two parameter valuations (d*,v) and (d?,v) satisfying 
that d? < d? for some i € {0,...,m} and d? = d! for 
each j Æ i. Then, if T(d*, v) satisfies safe, then T(d?, v) 
also satisfies Osa fe. 


The property indicates if two parameter valuations are 
the same except the i — th distance parameter, then 
if the one with a lower distance threshold satisfies the 
safety specification, then the other one also satisfies it. 
The property follows from the speed restrictions (4) that 
T(d’, v) starts decelerating at a higher rate (for a;41) ear- 


lier than T(d*, v). Furthermore, for parameter valuations 
(d°, v) and (d°, v), if T(d®, v) does not satisfy safe, then 
T(d*,v) does not satisfy safe as well, which is utilized 
to perform a binary search. 


Monotonicity for the speed upper bound: Consider 
two parameter valuations (d,v®) and (d,v°) satisfying 
that vi’* < v? for some i € {1,...,m} and ve = oe for 
each j Æ i, and a? = vy for each j € {1,...,m}. Then, if 
T(d, v?) satisfies ®safe, then T(d, v?) also satisfies Osa fe. 


The property indicates if two parameter valuations are the 
same except the i — th speed upper bound, then if the one 
with a higher bound satisfies the safety specification, then 
the other one also satisfies it. 


Monotonicity for the speed lower bound: Consider 
two parameter valuations (d,v®) and (d,v°) satisfying 
that vt < vy? for some i € {1,...,m} and vy? = 
vp? for each j # i, and vj" = a for each j € 
{1,...,m}. Then, if T(d, v?) satisfies ®sa fe, then T(d, v€) 
also satisfies ® 5a fe. 


Algorithm 1 ParameterOptimization 
1: (d, v) = (d*,v*) from (13) 
2: return Í if T(d,v) does not ®safe 
dm = dmin, vo = Vtarget vh = Vtarget (edge 
conditions) 
(d?, v?) = 0 (initialization) 
while (d, v) 4 (d?,v?) do 
while i = m to 1 do 
(a, v?) = (d, v) ) 
Neat(Dist-i, T, (d, v), di—1, di, Dsafe) > 
Nezxt(p, T, (d, v), c, b, ®) finds a parameter valuation 
for p within bounds c and b such that T(d, v) 


w 


satisfies ®. 
9: Necat(v-u-i, T, (d, v), v¥, V% 1, safe) 
10: Next(v-1-i, T, (d, v), vt, min(v¥, v!_1), ®safe) 
11: end while 


12: end while 
13: return (d, v) 


The proposed optimization method is summarized in 
Alg. 1. First, it checks whether T(d*,v*) satisfies the 
specification. By the monotonicity properties of the pa- 
rameters, if T(d*,v*) does not satisfy the specification, 
then no (d, v) € S satisfies it. If T(d*°, v*) satisfies safe, 
then starting from the lowest acceleration level (highest 
deceleration rate), for each level, the next distance thresh- 
old, speed upper bound and speed lower bound are found 
in this order. Note that for each of the optimization steps 
(lines 8,9,10), a single parameter is found the by virtue 
of the monotonicity analysis. The main loop continues 
as long as there is a progress in at least one of the 
parameters(line 5). The speed bounds creates a buffer 
zone between the different acceleration levels, thus relaxing 
speed bounds (line 9,10) avoids frequent switches between 
the acceleration levels contributing to the first criteria. 


Two approaches are used to find the next satisfying 
valuation. The first one is to use binary search within 
the given lower and upper bounds (e.g. dj-1,d;). In this 
case, the tightest valuation is found for each parameter 
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in the order in which the optimization is performed, i.e, 
dm—1,dm—2,..-,do,v¥, vi, vt, vb, ..., v% , ul. The order for 
the speed bounds is reversed due to the initial condition 
and constraint (4). This approach finds the optimal pa- 


rameter valuation for avoiding higher deceleration rates. 


Algorithm 2 FindNezxt(T, (d, v), c, b, param, ®) 
1: repeat 
: b = (c+ b)/2 (floor for when b > c, i.e., 
maximization, ceiling for minimization) 
3: Set param to b in (d, v) 
4: until T(d, v) satisfies ® 


The second approach to find the next satisfying valuation 
is shown in Alg. 2. Essentially, it is a modified binary 
search, where the search is terminated when a satisfying 
value is found. This heuristic approach iteratively relaxes 
each parameter to find a smooth policy. 


4.1 Parameter Synthesis for the Example System 


In this section, we present the numerical results for the 
system introduced in Sec. 2.3. The safety requirement is 
Psafe = VUd > 15. The parameters of the model are 
(do, d1), (vl, vt’, vb, vu¥). The most strict parameter valu- 
ation is ((150, 149), ((10,11,10,11)) (see control TA in 
Fig. 3). The overall system with these parameters satisfies 
safe, thus Paco (5) which is validated via UPPAAL. 


First, binary search is used to find the tightest valuations 
in lines 8,9,10. In the first step, for the minimization of 
dı, ((150, 15), ((10,11,10,11)) is found to be satisfying. 
For this valuation, dı = din, thus the control automaton 
completely avoids az = —2. Note that for v$, v¥, the upper 
bounds with respect to (4) are 10 and 11, respectively. 
Thus their value does not change in lines 9 and 10. Next, 
the minimization of dg returns 70. The optimization of 
vi, vt for ((70, 15), ((10, 11, 10, 11)) reveals that increasing 
any of them results in violation of the specification. Thus 
the algorithm returns ((70, 15), ((10,11,10,11)). The re- 
sulting strategy is to decelerate at a} = —1 when there is 
a vehicle within 70m. When there is a lead vehicle with a 
constant speed of v; = 10m/s(Umin), this strategy matches 
the speed of the leading vehicle when d = 15m. 


Next, FindNext(-) method given in Alg. 2 is used 
in lines 8,9,10. Again, the optimization starts with 
((150, 149), ((10,11,10,11)). The satisfying parameters 
found in the algorithm are given below. Each line is marked 
with the iteration number over the main loop and the 
optimized parameter. The new value is highlighted in blue. 


It : 1,dy :((150, 82), (10, 11, 10, 11)) 
It: 1, do :((116, 82), (10, 11, 10, 11)) 
It: 1, v% :((116, 82), (10, 15, 10, 11)) 
It: 1,v4 :((116, 82), (12, 15, 10, 11)) 
It : 2, dı :((116, 48), (12, 15, 10, 11)) 
It : 2, do :((82, 48), (12, 15, 10, 11)) 
It : 2,v' :((82, 48), (12, 17, 10, 11)) 
It: 2,v4 :((82, 48), (15, 17, 10, 11)) 
It : 3, dy :((82, 32), (15, 17, 10, 11)) 
It : 3, do :((57, 32), (15, 17, 10, 11)) 
It: 4, dy :((57, 31), (15, 17, 10, 11)) 
It: 4, do :((54, 31), (15, 17, 10, 11)) 


The resulting ACC strategy uses both of the deceleration 
levels. Independent of the vehicle’s velocity, when d < 
31m, the vehicle decelerates with —2 since vý = Umin + 1. 
When d > 54 the vehicle accelerates to its target speed. 
Finally, when d € [32,54], the vehicle decelerates with 
—1 if 17 < v, maintains its speed if 15 < v < 17, 
and accelerates if v < 15. This strategy postpones the 
deceleration compared to the first one (dọ was 70) by 
utilizing the second deceleration level. 


5. CONCLUSION 


We presented a timed automata model for the adaptive 
cruise control problem. We first constructed a template 
parametric TA for the given number of acceleration lev- 
els. Then, we presented an efficient parameter synthesis 
method for the particular parametric TA such that the 
resulting TA was guaranteed to satisfy the specifications. 
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